Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training,
learning paths, books, tutorials, and more.

Credit Cards, Encryption, and the Web

Protecting credit card
numbers used in online transactions is the most often-cited example
of the need for web security. So let’s look at the typical
credit card transactions, observe what the risks are, and see how web
security makes a difference.

A Typical Transaction

Consider a typical transaction on the Web: buying a CD from an online
music store with your credit card (Figure 1.1).

Figure 1-1. Buying a CD with your credit card over the Internet

In this example, a teenager—call her Sonia—sits down
at her dad’s computer, finds a music store on the World Wide
Web, and browses the company’s catalog. Sonia finds a rare
compact disc that she has been looking for desperately—say, a
collection of Led Zeppelin songs as performed by Tiny Tim. She creates
an order with the store’s electronic shopping cart, types in her
name and shipping address, types in her dad’s credit card
number, and clicks an onscreen button in her web browser display
labeled BUY-IT. Sonia’s CD arrives in the mail soon
thereafter. A month later, her dad gets the credit card bill in the
mail. He and Sonia then have a little discussion about her allowance
and the fact that she isn’t doing enough chores around the
house.

Both the credit card holder (Sonia’s dad) and the merchant face
risks in this transaction. For the credit card holder, two risks are
obvious and well-publicized:

The
credit card number might be “sniffed” by some electronic
villain as it travels across the Internet. That person could then use
the credit card number to commit fraud. To make things worse, the
credit card holder might not realize the card’s number has been
stolen until the statement is received. By that point, the
card’s credit limit has probably been maxed out with many
thousands of dollars in fraudulent charges. Let’s hope this
doesn’t happen while Dad is on a business trip.

The credit card might get billed, but the CD might never show up.
When Sonia tries to investigate, she finds that there is no
electronic CD store: the whole thing was a scam, and Sonia has lost
her dad’s money. The company that billed the credit card
doesn’t even exist anymore.

It’s these two risks that Netscape’s SSL was designed to combat. SSL
uses encryption, a mathematical
technique for scrambling information, so that data sent between
Sonia’s web browser and the online music store can’t be
surreptitiously monitored while it is in transit (see Figure 1.2). SSL also supports a sophisticated system for
digital identification, so that Sonia has some assurance that the
people operating the online music store are really who they claim to
be. (Encryption is described in Chapter 10, and
digital IDs are described in Chapter 6.)

Figure 1-2. How SSL protects an online transaction

True Names

Cybercash’s Carl Ellison notes that it is becoming less and
less useful to know the “true name” of a particular
business or web site operator. “In very old days (from stone
age communities up through Walton’s Mountain), people and
things had only one name for a lifetime, your world would contain few
enough people and things that you could remember and recall all their
names, your correspondents would be from your world, and you two
would share the same name space. In a world like that, names meant
something. With the `global village,’ especially thanks
to the Internet, the number of objects and people I correspond with
are less and less from my personal world. . . . What Sonia cares
about (quality of service, honesty, skill, size, lifetime...) is
something she might have learned in ancient days by other channels
and have tied to the true name—but today she doesn’t have
those other channels of information and because of the size of the
name space, she’s not likely to be able to tie anything to such
a name and hold that information in her head. Today, entities change
names rapidly (a good hotel I’ve stayed at has changed names
twice in the last two years), and entities have multiple names. The
assumptions upon which we humans built a reliance on names are
breaking down, and we haven’t replaced the use of names
yet.”

In fact, Ellison continues, Sonia doesn’t really care who these
people claim to be. “She cares if they’re honest and if
they’re likely to be around long enough to ship her order. The
name of someone remote probably doesn’t mean anything to
her...What she needs is certification of a keyholder’s honesty,
competence, etc. We’re just now designing certificates to carry
that information.”

SSL does a good job of protecting information while the data is in
transit and giving web users good assurances that they are
communicating with the sites they think they are. Programs that
implement the SSL protocol come in two versions: a reduced-strength
version that is sold by U.S. corporations overseas, and a
full-strength version sold by foreign companies overseas as well as
by U.S. companies for use within the United States. But even though a
lot of fuss has been made because the reduced-strength version of the
SSL program isn’t all that secure, it is still probably good
enough for encrypting most credit card transactions.[6]

Nevertheless, it’s ironic that SSL was first proposed as a safe
way for sending credit card numbers over the Internet, because it
wasn’t needed for this purpose. Here’s why:

According to the laws that govern the use of
credit cards in the United States, consumers are only liable for the
first $50 of fraudulent credit card transactions. In most cases,
credit card companies don’t even enforce the $50
limit—consumers who report fraudulent charges can simply alert
their banks and not pay. So there really isn’t any risk to
consumers in having their credit card numbers “sniffed”
over the Internet.[7]

If Sonia were billed for a CD and it never showed up, all her dad
would have to do is write his credit card company to contest the
charge.[8]

There is no need for consumers to verify the identity of merchants
that accept credit cards, because the banks that issue merchants
their credit card accounts have already done this for the consumer.
Merchants can’t charge your credit card unless they first
obtain a credit card merchant account, which involves an extensive
application procedure, a background check, and usually an onsite
visit. Indeed, credit card firms do a far better job of this
verification than Sonia could ever hope to do by herself.

The idea that SSL could secure credit card transactions was an
important part of selling Internet commerce—and specifically
Netscape’s products—to consumers. The message was simple
and effective: “Don’t do business with companies that
don’t have secure (i.e., Netscape) web servers.” But the
message was too effective: many Internet users, including some
journalists, were so intimidated by the idea of having their credit
card information stolen on the Internet that they refused to do
business with merchants that had cryptographic web servers as
well.

Ironically,
the people who were really protected by Netscape’s technology
weren’t the consumers, but banks and merchants. That’s
because they are the ones who are ultimately responsible for credit
card fraud. If a credit card merchant gets a credit card approved and
ships out a CD, the bank is obligated to pay the merchant for the
charge, even if the credit card is reported stolen later that day.
The encryption also protects merchants: if a credit card number is
stolen because of a merchant’s negligence, then the merchant
can be held liable by the bank for any fraud committed on the card.
(Credit card companies have since stated that merchants are indeed
responsible for any fraud that results from credit card numbers that
are stolen if a merchant didn’t use a cryptographically enabled
web server. Nevertheless, at this point there has been no publicly
reported example of a credit card number being “sniffed”
over a network connection, encrypted or not.)

The American Bankers Association
maintains that it’s in the interest of consumers to protect
banks and merchants from fraud. After all, fraud cuts into the
profits of banks, forcing them to raise interest rates and making it
harder for them to offer new services. Dealing with fraud can also be
very difficult for some consumers. Some people panic when faced with
a credit card bill that contains thousands of dollars in fraudulent
charges. Others simply ignore it. Unfortunately, they do so at their
peril: after a period of time (depending on the financial
institution), consumers become liable for fraudulent charges that are
not contested.

New Lessons from the Credit Card Example

It turns
out that both Sonia and the merchant face many other risks when doing
business over the Internet—risks that encryption really does
not protect against. For Sonia, these risks include:

The risk that the information she provides for this transaction will
be used against her at some time in the future. For instance,
personal information
may be obtained by a con artist and used to gain Sonia’s trust.
Or the address that she gives may end up on a mailing list and used
to bombard Sonia with unwanted physical or electronic mail.

The risk that the merchant may experiment with Sonia’s
sensitivity to price or determine the other stores at which Sonia is
shopping, allowing the merchant to selectively raise the prices that
are offered to Sonia so that they will be as high as she is willing
(or able) to pay—and definitely higher than the prices that are
charged the “average” consumer.

The risk that the merchant might somehow take over Sonia’s web
browser and use it to surreptitiously glean information from her
computer about her tastes and desires.

The risk that a rogue computer programmer might figure out a way to
gain control of Sonia’s web browser. That browser could then be
used to reformat Sonia’s hard disk. Even worse: the rogue
program might download a piece of software that scans Sonia’s
computer for sensitive information (bank account numbers, credit card
numbers, access codes, Social Security Numbers, and so on) and then
silently upload that information to other sites on the Internet for
future exploitation.

Likewise, the merchant faces real risks as well:

Sonia might try to click into the merchant’s web site and find
it down or terribly sluggish. Discouraged, she buys the records from
a competitor. Even worse, she then posts her complaints to mailing
lists, newsgroups, and her own set of WWW pages.

Sonia might in fact be a competitor—or, actually, a robot from
a competing web site—that is systematically scanning the music
store’s inventory and obtaining a complete price list.

Sonia might be Jason, a 14-year-old computer prankster who has stolen
Sonia’s credit card number and is using it illegally to improve
his CD collection.

Once the merchant obtains Sonia’s credit card number, it is
stored on the hard disk of the merchant’s computer. Jason might
break into the computer and steal all the credit card numbers,
opening the merchant to liability.

Once Jason breaks into the merchant’s computer, he might
introduce fraudulent orders directly into the company’s
order-processing database. A few days later, Jason receives thousands
of CDs in the mail.

Jason might have his own credit card. Having thoroughly compromised
the merchant’s computer, Jason begins inserting reverse charge
orders into the merchant’s credit card processing system. The
credits appear on Jason’s credit card. A few days later, he
uses a neighborhood ATM machine to turn the credits into cash.

As a prank, or as revenge for some imagined slight, Jason might alter
the store’s database or WWW pages so that the CDs customers
receive are not the ones they ordered. This might not be discovered
for a week or two, after thousands of orders have been placed. The
merchant would have the expense of paying for all the returned CDs,
processing the refunds, and losing the customer’s faith.

Or Jason might simply sabotage the online store by lowering the
prices of the merchandise to below the store’s cost.

These are the real threats of doing business on the Internet. Some of
them are shown in Figure 1.3.

Figure 1-3. The real threats of doing business on the Internet

There is nothing that is fundamentally new about these kinds of
risks: they have existed for as long as people have done business by
computer; some of these problems can also be experienced doing
business by telephone or by mail. But the Internet and the World Wide
Web magnify the risks substantially. One of the reasons for the
heightened threat on today’s networks is that the Internet
makes it far easier for people to wage anonymous or nearly anonymous
attacks against users and businesses. These attacks, in turn, can be
automated, which makes it possible for an attacker to scan thousands
of web sites and millions of users for any given vulnerability within
a very short amount of time. Finally, these attacks can be conducted
worldwide, an unfortunate consequence of the Internet’s
trans-national nature.

[6] Weak encryption is good enough for most credit card
transactions because these transactions are reversible and heavily
audited. Fraud is quickly discovered. And while it is true that an
SSL transaction that’s encrypted with a 40-bit key can be
cracked in a matter of hours by a graduate student with a laboratory
of workstations, there is no easy way to tell before attempting to
crack a message if it is a message worth cracking. It’s far,
far easier to simply scan the Net for unencrypted credit card
numbers.

[7] However, note that debit
cards, which are being widely promoted by banks nowadays,
may not have a customer liability limit. If you use a debit card, be
sure to check the fine print in the agreement with your bank!

[8] Under the law, he would need to write the
credit card company to preserve his rights to contest the
charge—a telephone call is not sufficient, although the company
might issue a temporary credit based on the call.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training,
learning paths, books, interactive tutorials, and more.